As you might have noticed, Iβve been looking into VStarcam firmware lately. My analysis of 367 firmware branches found something astonishing: starting with approximately 2022 VStarcam has been systematically and intentionally undermining the security of their cameras, adding mechanisms designed to leak the authentication password. While we can only speculate about the reasons, itβs clear that these cameras cannot be trusted with access to the Internet. https://palant.info/2026/01/07/backdoors-in-vstarcam-cameras/
#security #iot #VStarcam #firmware
My new article is out, this time itβs about internet-connected cameras, mostly being marketed as spy cameras. While the cameras themselves are very different, the common factor is the LookCam app used to manage them.
There is already a considerable body of research on these and similar P2P cameras, so it shouldnβt be a surprise that their security is nothing short of horrible. Still, how the developers managed to make all the wrong choices here on every level (firmware, communication protocol, cloud functionality) is quite something.
https://palant.info/2025/09/08/a-look-at-a-p2p-camera-lookcam-app/
#infosec #iot #lookcam #security #vulnerability
After I published my article on malicious Chrome extensions running remote code I actually got a sample of malicious code for the Download Manager Integration Checklist extension. While somebody went though significant effort to obfuscate it, I managed to analyze all of its functionality: https://palant.info/2025/02/03/analysis-of-an-advanced-malicious-chrome-extension/
This extension turned out to be specializing in ad fraud. Better understanding of its code allowed me to find eight other extensions with very similar malicious functionality and one more that doesnβt appear malicious at the point but still related. Fun fact: the ad company in question appears to be scammed by one of their employees.
It seems that Iβve never done a proper #introduction despite having been here since 2018, so wellβ¦
Iβm Wladimir Palant, and for the past few years Iβve been mostly doing security and privacy research. My goal is both making popular software more secure and teaching people about ways in which things typically go wrong. I also raise awareness to privacy violations. My findings are published in my blog: https://palant.info/
My primary focus are browser extensions, which I consider a severely under-researched area. I do also find myself reverse engineering binary applications occasionally.
You might have heard about my research on Avast spying which eventually led to their Jumpshot division being shut down: https://palant.info/categories/avast/
Some other interesting research:
Β· Remote code execution in Bitdefender antivirus from any website: https://palant.info/2020/06/22/exploiting-bitdefender-antivirus-rce-from-any-website/
Β· Remote code execution in McAfee WebAdvisor from any website: https://palant.info/2020/02/25/mcafee-webadvisor-from-xss-in-a-sandboxed-browser-extension-to-administrator-privileges/
Β· Remote code execution in Avast Secure Browser from any website: https://palant.info/2020/01/13/pwning-avast-secure-browser-for-fun-and-profit/
Β· Amazon Assistant is a perfect user tracking machine: https://palant.info/2021/03/08/how-amazon-assistant-lets-amazon-track-your-every-move-on-the-web/
Β· Issues caused by Kaspersky antivirus breaking up HTTPS connections: https://palant.info/2019/08/19/kaspersky-in-the-middle--what-could-possibly-go-wrong/
As you might have noticed, Iβve been looking into VStarcam firmware lately. My analysis of 367 firmware branches found something astonishing: starting with approximately 2022 VStarcam has been systematically and intentionally undermining the security of their cameras, adding mechanisms designed to leak the authentication password. While we can only speculate about the reasons, itβs clear that these cameras cannot be trusted with access to the Internet. https://palant.info/2026/01/07/backdoors-in-vstarcam-cameras/
#security #iot #VStarcam #firmware
My new article is out, this time itβs about internet-connected cameras, mostly being marketed as spy cameras. While the cameras themselves are very different, the common factor is the LookCam app used to manage them.
There is already a considerable body of research on these and similar P2P cameras, so it shouldnβt be a surprise that their security is nothing short of horrible. Still, how the developers managed to make all the wrong choices here on every level (firmware, communication protocol, cloud functionality) is quite something.
https://palant.info/2025/09/08/a-look-at-a-p2p-camera-lookcam-app/
#infosec #iot #lookcam #security #vulnerability
Looks like I need to finally start thinking about migrating away from GitHub. I donβt have a lot, so bothering with self-hosting isnβt worth it, but I have 14 active repositories apparently that would be better off elsewhere.
Must be quite a remarkable coding error to remove parts of the US Constitution from the website in such a selective way. π€
https://arstechnica.com/tech-policy/2025/08/coding-error-blamed-after-parts-of-constitution-disappear-from-us-website/
Iβm surprised that Firefox still has this βfeatureβ which has been annoying people for the past 25 years or so. If you have a page open that just wonβt finish loading and you finally give up and navigate away, chances are that the page will briefly show up before immediately being replaced by the site you navigated to. The typical reaction is: βoh no, it finally finished loading at the very moment I gave up! π±
β
What actually happened is: navigating away aborts the current loading sequence. And if there was enough data loaded to do some rendering but the browser was holding it off because it was waiting for some files still being loaded β that rendering will happen now, nothing stopping it any more. Obviously, it doesnβt actually need to render now, it wonβt do anything useful other than mislead the user. But it seems that nobody thought of adding this special case to disable rendering if loading was aborted due to navigating away.
Interestingly though, there is a special case disabling rendering when loading was aborted due to the user clicking the Stop button. This one hasnβt always been there, pressing Stop used to make already loaded parts of the page show up.
After I published my article on malicious Chrome extensions running remote code I actually got a sample of malicious code for the Download Manager Integration Checklist extension. While somebody went though significant effort to obfuscate it, I managed to analyze all of its functionality: https://palant.info/2025/02/03/analysis-of-an-advanced-malicious-chrome-extension/
This extension turned out to be specializing in ad fraud. Better understanding of its code allowed me to find eight other extensions with very similar malicious functionality and one more that doesnβt appear malicious at the point but still related. Fun fact: the ad company in question appears to be scammed by one of their employees.
Published a new article: Malicious extensions circumvent Googleβs remote code ban
https://palant.info/2025/01/20/malicious-extensions-circumvent-googles-remote-code-ban/
Looking at 60 malicious extensions belonging to three groups here, still running remote code despite Google banning it in Manifest V3. βFunβ fact: some of these extensions have been featured on my blog in 2023, others on McAfeeβs in 2022.
Recurring pattern: downloading rules and adding them to declarativeNetRequest API. The abuse potential here is enormous, including injecting malicious scripts into websites.
Only one extension went for essentially a custom programming language, others settled with simpler approaches. Luckily for me because the latter allows better guesses about what this functionality is meant for. Spoiler: ads and affiliate fraud. Also: affiliate fraud and ads.
I meant to publish a rant about Google and Chrome Web Store for a while now, and now it is out: https://palant.info/2025/01/13/chrome-web-store-is-a-mess/
This details many of Googleβs shortcoming at keeping Chrome Web Store safe, with the conclusion: βfor the end users the result is a huge (and rather dangerous) mess.β
I am explaining how Google handled (or rather didnβt handle for most part) my recent reports. How they make reporting problematic extensions extremely hard and then keep reporters in the dark about the state of these reports. How Google repeatedly chose to ignore their own policies and allowed shady, spammy and sometimes outright malicious extensions to prevail.
There is some text here on the completely meaningless βFeaturedβ badge that is more likely to be awarded to malicious extensions than to legitimate ones. And how user reviews arenβt allowing informed decisions either because Google will allow even the most obvious fakes to remain.
Iβve also decided to publish a guest post by a researcher who wanted to remain anonymous: https://palant.info/2025/01/13/biscience-collecting-browsing-history-under-false-pretenses/
This post provides more details on BIScience Ltd., another company selling browsing data of extension users. @tuckner@infosec.exchange and I wrote a bit about that one recently, but this has been going on since at least 2019 apparently. Google allows it as long as extension authors claim (not very convincingly) that this data collection is necessary for the extensionβs functionality. Itβs not that Google doesnβt have policies that would prohibit it, yet Google chooses not to enforce those.
#google #cws #ChromeExtensions #privacy #ChromeWebStore
It seems that Iβve never done a proper #introduction despite having been here since 2018, so wellβ¦
Iβm Wladimir Palant, and for the past few years Iβve been mostly doing security and privacy research. My goal is both making popular software more secure and teaching people about ways in which things typically go wrong. I also raise awareness to privacy violations. My findings are published in my blog: https://palant.info/
My primary focus are browser extensions, which I consider a severely under-researched area. I do also find myself reverse engineering binary applications occasionally.
You might have heard about my research on Avast spying which eventually led to their Jumpshot division being shut down: https://palant.info/categories/avast/
Some other interesting research:
Β· Remote code execution in Bitdefender antivirus from any website: https://palant.info/2020/06/22/exploiting-bitdefender-antivirus-rce-from-any-website/
Β· Remote code execution in McAfee WebAdvisor from any website: https://palant.info/2020/02/25/mcafee-webadvisor-from-xss-in-a-sandboxed-browser-extension-to-administrator-privileges/
Β· Remote code execution in Avast Secure Browser from any website: https://palant.info/2020/01/13/pwning-avast-secure-browser-for-fun-and-profit/
Β· Amazon Assistant is a perfect user tracking machine: https://palant.info/2021/03/08/how-amazon-assistant-lets-amazon-track-your-every-move-on-the-web/
Β· Issues caused by Kaspersky antivirus breaking up HTTPS connections: https://palant.info/2019/08/19/kaspersky-in-the-middle--what-could-possibly-go-wrong/
Wladimir Palant